<html>
<head><meta charset="utf-8"><title>Code signing for Cargo · general · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/index.html">general</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html">Code signing for Cargo</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="241672941"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241672941" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Demi Obenour <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241672941">(Jun 06 2021 at 04:57)</a>:</h4>
<p>Are there any plans to add some form of code signing to Cargo, preferably via The Update Framework (TUF)?  Right now, Qubes OS can’t use any packages from <code>crates.io</code> except for what the Fedora <code>rust</code> source package comes bundled with, and even then only by vendoring it.  That is very, <em>very</em> annoying.</p>



<a name="241674852"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241674852" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241674852">(Jun 06 2021 at 05:48)</a>:</h4>
<p><code>Cargo.lock</code> already contains hashes of the <code>.crate</code> files, so if a <code>Cargo.lock</code> already exists it shouldn't be an issue to use <a href="http://crates.io">crates.io</a> as you are already guaranteed to get the same version as the author. It would also be hard for <a href="http://crates.io">crates.io</a> to silently serve different people different versions of the same crate as it doesn't get to know the hash that is already stored in <code>Cargo.lock</code>.</p>



<a name="241679882"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241679882" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Demi Obenour <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241679882">(Jun 06 2021 at 08:15)</a>:</h4>
<p>That isn’t actually enough for us, as it leaves the problem of creating the <code>Cargo.lock</code> in the first place.</p>



<a name="241680112"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241680112" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> inquisitivecrystal <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241680112">(Jun 06 2021 at 08:21)</a>:</h4>
<p>Uhh, so, person who has no expierence and is just trying to be helpful here: it seems that PyPi is implementing this system. PEP-458 is the relevant decision. I'm not saying that it would make sense for Cargo, but if another major language package manager has decided to implement it might be worth it for someone to look at it.</p>



<a name="241680395"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241680395" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Demi Obenour <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241680395">(Jun 06 2021 at 08:27)</a>:</h4>
<p>Qubes OS follows a policy of distrusting its infrastructure, with the exception of a few trusted builders that cryptographically verify all code they download before building it.</p>



<a name="241680454"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241680454" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> inquisitivecrystal <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241680454">(Jun 06 2021 at 08:28)</a>:</h4>
<p>It's good to hear that you take security so seriously.</p>



<a name="241680530"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241680530" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> inquisitivecrystal <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241680530">(Jun 06 2021 at 08:30)</a>:</h4>
<p>While I know the Cargo team takes user feedback very seriously, it isn't likely to implement a significant new feature just because one user would find it useful. I might suggest framing it to them in terms of the security benefits for all of Cargo's users.</p>



<a name="241680604"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241680604" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Demi Obenour <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241680604">(Jun 06 2021 at 08:32)</a>:</h4>
<p><span class="user-mention silent" data-user-id="417924">Aris</span> <a href="#narrow/stream/122651-general/topic/Code.20signing.20for.20Cargo/near/241680530">said</a>:</p>
<blockquote>
<p>While I know the Cargo team takes user feedback very seriously, it isn't likely to implement a significant new feature just because one user would find it useful. I might suggest framing it to them in terms of the security benefits for all of Cargo's users.</p>
</blockquote>
<p>Agreed.  This would be a <em>very</em> large amount of work.</p>



<a name="241691057"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241691057" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241691057">(Jun 06 2021 at 13:06)</a>:</h4>
<p><span class="user-mention silent" data-user-id="391043">Demi Obenour</span> <a href="#narrow/stream/122651-general/topic/Code.20signing.20for.20Cargo/near/241679882">said</a>:</p>
<blockquote>
<p>That isn’t actually enough for us, as it leaves the problem of creating the <code>Cargo.lock</code> in the first place.</p>
</blockquote>
<p>Binary crates are encouraged to check-in a <code>Cargo.lock</code> file, so in most cases the <code>Cargo.lock</code> already exists in whatever source archive you use as build input. If you combine this with <code>--locked</code> you can be certain that if the <code>Cargo.lock</code> doesn't exist or is outdated the build will fail.</p>



<a name="241706593"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241706593" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241706593">(Jun 06 2021 at 19:19)</a>:</h4>
<p><span class="user-mention" data-user-id="391043">@Demi Obenour</span> This would be better discussed on #t-cargo rather than #general. To answer your question, it <em>has</em> been considered. Part of the issue is that it's a <em>complex</em> feature to add that requires getting all the details right, and we have a severe shortage of both developer and reviewer time right now.</p>



<a name="241706642"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241706642" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241706642">(Jun 06 2021 at 19:20)</a>:</h4>
<p>I don't think anyone is fundamentally opposed to having some sort of signing mechanism. It's more a matter of design/implementation/review bandwidth.</p>



<a name="241706650"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241706650" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241706650">(Jun 06 2021 at 19:20)</a>:</h4>
<p>Also, any such effort would need to be coordinated with <a href="http://crates.io">crates.io</a>.</p>



<a name="241706669"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241706669" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241706669">(Jun 06 2021 at 19:21)</a>:</h4>
<p>There's also a lot of discussion about where precisely we want signing.</p>



<a name="241706732"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241706732" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241706732">(Jun 06 2021 at 19:22)</a>:</h4>
<p>For instance, signing indexes would help, and then the index already includes crate hashes, so that would be sufficient to establish a chain of trust from <a href="http://crates.io">crates.io</a> to the user running cargo.</p>



<a name="241706759"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241706759" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241706759">(Jun 06 2021 at 19:23)</a>:</h4>
<p>There have been requests to sign individual crates, but that would add much more complexity, and it isn't obvious that would provide additional benefit.</p>



<a name="241706816"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241706816" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241706816">(Jun 06 2021 at 19:24)</a>:</h4>
<p>On top of all of that, we're in the process of introducing a new index format, supporting indexes via HTTPS in addition to indexes via git. Any signing mechanism would need to work with the new index format (and ideally also the old index format).</p>



<a name="241712295"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241712295" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> inquisitivecrystal <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241712295">(Jun 06 2021 at 21:45)</a>:</h4>
<p>If y'all do consider doing it at some point, The Update Framework would be good to look at. Among other things, they seem to have worked out most of the details, including problems I hadn't even considered. For instance, they say it works against attacks that keep giving you the same version of a file so you never realize it has an update.</p>



<a name="241712340"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241712340" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> inquisitivecrystal <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241712340">(Jun 06 2021 at 21:46)</a>:</h4>
<p>It might be better to use a system where someone has already worked out and thoroughly checked all the details rather than rolling your own.</p>



<a name="241712349"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241712349" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> inquisitivecrystal <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241712349">(Jun 06 2021 at 21:46)</a>:</h4>
<p>But I hadn't heard of it before yesterday, and know nothing about the architecture of Cargo or <a href="http://crates.io">crates.io</a>, or about code signing.</p>



<a name="241736649"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Code%20signing%20for%20Cargo/near/241736649" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Code.20signing.20for.20Cargo.html#241736649">(Jun 07 2021 at 07:04)</a>:</h4>
<p>We've definitely had multiple recommendations for TUF.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>